Quick Start Security for GCP Cloud Storage
Thank you!
We got your information.
Coralogix Extension For GCP Cloud Storage Includes:
Alerts - 5
Stay on top of GCP Cloud Storage key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
A User Was Added to a Bucket IAM Permissions
'Summary This alert gets triggered when a user is added to a bucket or granted access. Note- This alert should configured with relevant app & subsystem. Define timeframes/conditions that directly align with business objectives. Impact A potential threat actor might manipulate the permissions of a storage bucket to compromise the security controls of their target. Alternatively, an administrator could unintentionally alter the permissions, potentially resulting in the exposure or loss of data. Mitigation System administrators can adjust permissions for storage buckets. Confirm that any modifications to permissions align with anticipated changes. If unexpected permission changes are identified, remove the user from the bucket access. MITRE Tactic: TA0005 MITRE Technique: T1222'
Suspicious Type of Files was Uploaded to a Bucket
This alert gets triggered when an unusual file type is uploaded to a bucket. Note - Kindly add the genuine file formats in the query whitelisting. Impact This suggests that abnormal files have been uploaded to a bucket, posing a potential risk of malicious activities such as bots, malware, trojans, credential harvesting, and command-and-control (C2C) operations. Mitigation Examine the file types uploaded in the bucket, remove any unusual files, and limit access to authorized users only. MITRE Tactic: TA0010 MITRE Technique: T1537
Multiple Buckets Created by a User
This alert gets triggered when multiple buckets are created in a short time by a single user. Note - In this alert, the threshold is set to more than 5 buckets created within 20 minutes timeframe. Impact Atypical creation of storage buckets could affect storage capacity, costs, and potentially serve as a means for storing malicious data, facilitating data exfiltration, and enabling unauthorized access. Mitigation It is advisable to examine the configuration settings of the storage bucket and the data being stored to enhance security. Evaluate the configuration to ensure compliance with corporate best practices. MITRE Tactic: TA0010 MITRE Technique: T1020
Multiple Buckets Deleted By a User
This alert gets triggered when multiple buckets are deleted in a short period by a single user. Note - In this alert, the threshold is set to more than 5 buckets deleted within 15 minutes timeframe. Impact A potential threat actor might intentionally erase a storage bucket to disrupt the business operations of their target. The impact would be - data loss, operation interruption, database downtime, etc. Mitigation System or network administrators can delete storage buckets. Confirm whether the user email, resource name, and/or hostname align with authorized entities for making changes in your environment. For critical data buckets, it is recommended to take the daily data backup. MITRE Tactic: TA0040 MITRE Technique: T1485
Bucket Was Updated
This alert gets triggered when a bucket configuration is updated. Cloud Storage is a managed service for storing unstructured data. Store any amount of data and retrieve it as often as you like. Note: In this alert, a threshold is set to more than 5 modifications in 30 minutes from the same user, feel free to adjust as per your requirements. Impact Unexpected or security-related changes can jeopardize the bucket's safety. Key alterations like encryption, retention policy adjustments, tagging modifications, or editing destination buckets can introduce vulnerabilities. These unanticipated changes may create backdoors for unauthorized users, facilitate data exfiltration, enable unauthorized access, result in data loss, and significantly impact business operations. Mitigation Review the logs to identify any changes, and if anything appears suspicious, contact the user for clarification and justification. If the changes are part of regular business activities, you can close the alert. Otherwise, contact the engineering team to review the changes by analyzing the logs and ensuring there is no impact on operations. Additionally, if necessary, restrict the user's access to read-only to prevent similar activities in the future. MITRE Tactic: TA0001 MITRE Technique: T1078
Integration
Learn more about Coralogix's out-of-the-box integration with GCP Cloud Storage in our documentation.